Host Identity Indirection Infrastructure – Hi 3 Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research
Presentation outline • Motivation • Background • Secure i 3 • Hi 3 • Summary 2
Hi 3 motivation • Question: How to get data based on HIT only? • HITs look like 128-bit random numbers • Possible answer: DHT based overlay like i 3 • Extra bonus: DDoS protection • Inherited from Secure i 3 and enhanced 3
Background • Current HIP name resolution • Basic HIP rendezvous service • About Distributed Denial-of-Service attacks • Two slide introduction to Distributed Hash Tables 4
Current HIP name resolution • HITs or HIs in the DNS DNS server • DNS query asks for addresses and HITs DNS query: DNS reply: • Requires one to have a A, AAAA, HIT A, AAAA, HIT DNS name • HITs not resolvable due to Client app name space being flat 5
Basic HIP rendezvous service • Keep track of Responder’s IP address(es) RVS • Forward I1 to Responder • Optionally forward R1 back to the Initiator and then I2 I1 I1 to the Responder R1 R1 • Keeps Responder’s IP address(es) hidden until it R1 Initiator Responder has a chance to verify the puzzle 6
Distributed Hash Tables (DHT) • Distributed directory for flat data • Several different ways to implement • Each server maintains a partial map • Overlay addresses to direct to the right server • Resilient through parallel, unrelated mappings 7
DHTs: Example Prefix Default node Real node 11111 00001 00110 00110 = 6 none exists 11101 0010_ 00101 = 5 none exists 000__ 000__ 00011 = 3 → 1 11010 00111 → 10 01___ 01111 = 15 1____ 01___ → 24 11000 1____ 10111 = 23 01010 01011 RT size = log2(|address|) 10101 01100 path length = log2(|address|) 10010 8
About DDoS Attacks • Attacks a victim from dozens to thousands of network locations at the same time • Employs zombies, typically hacked PCs • Observation: • Keeping IP address hidden protects from DDoS • Question: • How to keep a server’s IP address hidden? 9
Secure i 3 • i 3 overview • Secure i 3 principles • Diluting a DoS/DDoS attack in i 3 10
i 3 overview • Efficient indirection layer on top of IP • Overlay network consisting of rendezvous servers • Rendezvous based communication abstraction • Each packet has a recipient identifier • Rendezvous servers maintain triggers • Trigger is an (id, destination) pair • Destination is typically an IP address 11
Rendezvous Communication • Packets addressed to identifiers (“names”) • Trigger: (Identifier, IP address): inserted by receiver and then used by sender • Triggers are mappings set up by end-hosts, and stored in DHTs (can point to other triggers too) send(R, data) send(ID, data) Sender trigger Receiver (R) ID R (Slide courtesy to Ian Stoica, UC Berkeley) 12
Secure i 3 principles • Hide IP addresses • Must use overlay • End-hosts have ability to defend against attacks (in the network) • Don’t create additional vulnerabilities 13
Diluting a DoS attack in i3 x1 V x2 V x3 V x4 V Attacker floods victim via i 3 public triggers Attacker (A) Victim dilutes attack by dropping x3 V two of its four public triggers Victim x4 V (V) (Slide courtesy to Dan Adkins, UC Berkeley)
Hi 3 • Basic approach: Combine HIP and (Secure) i 3 • Use i 3 as a transport for HIP packets • Use regular IP(sec) for regular data traffic • Hides IP addresses until the Responder has been able to verify the puzzle • HIP mobility and multi-homing can be used to redirect and redistribute regular traffic 15
Hi 3 overlay and IPsec connectivity i 3 overlay based control plane IPsec based user plane 16
Hi 3 overlay and IPsec connectivity • i 3 overlay for signalling (control plane) • Routes only HIP control packets • E2E IPsec ESP for data traffic (user plane) • Firewalls/middle boxes opened dynamically • Only end-to-end signalling (HIP) • Middle boxes “snoop” e2e messages 17
HIP vs IP connectivity IP connectivity HIP connectivity Between any IP addresses Between any HITs Created by routing Created by DHT Hosts always reachable Hosts reachable after signalling Unsecure (Opportunistically) Secure Broken by NATs and FWs Goes through NATs and FWs 18
Upper layer view • IP connectivity problematic today • Broken by firewalls, NATs, mobility • Two versions of IP: IPv4 and IPv6 • Hi 3 as a potential remedy • Restores end-to-end connectivity • Handles mobility and multi-homing • Protects from DDoS attacks 19
Where is network state? • Routers know addresses • Just like today • DHT knows HITs • Lease based storage Naming • Middle boxes know SPIs • Soft state Addressing Routing 20
Summary • Combine HIP and i 3 • HIP packets flow through i 3 overlay • Regular traffic over today’s IP • IP addresses hidden in the beginning • Solves the HIT referral problems • Protects from DDoS attacks 21
Recommend
More recommend